The captive portal feature is a software implementation that blocks clients from accessing the
network until user verification has been established. You can set up verification to allow access
for both guests and authenticated users. Authenticated users must be validated against a
database of authorized captive portal users before access is granted.

The authentication server supports both HTTP and HTTPS Web connections. In addition, you
can configure captive portal to use an optional HTTP port (in support of HTTP proxy networks). If
configured, this additional port is then used exclusively by captive portal. Note that this optional
port is in addition to the standard HTTP port 80, which is currently being used for all other Web
traffic.

Captive portal for wired interfaces allows the clients directly connected to the switch to be
authenticated using a captive portal mechanism before the client is given access to the network.
When a wired physical port is enabled for captive portal, the port is set in captive-portal- enabled
state such that all the traffic coming to the port from the unauthenticated clients is dropped
except for the ARP, DHCP, DNS and NETBIOS packets. The switch forwards these packets so
that unauthenticated clients can get an IP address and resolve the hostname or domain names.
Data traffic from authenticated clients goes through, and the rules do not apply to these packets.

All the HTTP/HTTPS packets from unauthenticated clients are directed to the CPU on the switch
for all the ports that are enabled for captive portal. When an unauthenticated client opens a Web
browser and tries to connect to network, the captive portal redirects all the HTTP/HTTPS traffic
from unauthenticated clients to the authenticating server on the switch. A captive portal Web
page is sent back to the unauthenticated client. The client can authenticate. If the client
successfully authentiates, the client is given access to port.